Abstract
Functionality is the highest semantic level of the software behavior pyramid that reflects goals of the software rather than its specific implementation. Detection of malicious functionalities presents an effective way to detect malware in behavior-based IDS. A technology for mining system call data, discussed herein, results in the detection of functionalities representing operation of legitimate software within a closed network environment. The set of such functionalities combined with the frequencies of their execution constitutes a normalcy profile typical for this environment. Detection of deviations from this normalcy profile, new functionalities and/or changes in the execution frequencies, provides evidence of abnormal activity in the network caused by malware. This approach could be especially valuable for the detection of targeted zero-day attacks. The paper presents the results of the implementation and testing of the described technology on the computer network testbed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Percoco, N., Ilyas, J.: Malware Freakshow 2010., White paper for Black Hat USA (2010)
Falliere, N., Murchu, L., Chien, E.: W32.Stuxnet Dossier. version 1.4. Symantec Security Response (April 2011)
Tokhtabayev, A.G., Skormin, V.A., Dolgikh, A.M.: Expressive, Efficient and Obfuscation Resilient Behavior Based IDS. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 698–715. Springer, Heidelberg (2010)
Jensen, K.: Coloured Petri nets: basic concepts, analysis methods and practical use, 2nd edn., vol. 1. Springer, Berlin (1996)
Dolgikh, A., Nykodym, T., Skormin, V., Antonakos, J.: Colored Petri Nets as the Enabling Technology in Intrusion Detection Systems. In: MILCOM 2011, Baltimore, VA (2011)
Nykodym, T., Skormin, V., Dolgikh, A., Antonakos, J.: Automatic Functionality Detection in Behavior-Based IDS. In: MILCOM 2011, Baltimore, VA (2011)
Melichar, B., Holub, J., Polcar, T.: Text Searching Algorithms. Czech Technical University in Prague Faculty of Electrical Engineering, Department of Computer Science and Engineering (November 2005)
http://offensivecomputing.net/ (accessed in April 2011)
Matrosov, A., Rodionov, E., Harley, D., Malcho, J.: Stuxnet under the microscope. ESET LLC (September 2010)
Kolbitsch, C., Comparetti, P.M., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and efficient malware detection at the end host. In: Proceedings of the 18th USENIX Security Symposium (Security 2009) (August 2009)
Fredrikson, M., Jha, S., Christodorescu, M., Sailer, R., Yan, X.: Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors. In: 2010 IEEE Symposium on Security and Privacy (2010)
Cavallaro, L., Saxena, P., Sekar, R.: On the Limits of Information Flow Techniques for Malware Analysis and Containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143–163. Springer, Heidelberg (2008)
Lanzi, A., Christodorescu, M., Balzarotti, D., Kirda, E., Kruegel, C.: AccessMiner: Using System-Centric Models for Malware Protection. In: Proceedings of the 17th ACM CCS
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Skormin, V., Nykodym, T., Dolgikh, A., Antonakos, J. (2012). Customized Normalcy Profiles for the Detection of Targeted Attacks. In: Di Chio, C., et al. Applications of Evolutionary Computation. EvoApplications 2012. Lecture Notes in Computer Science, vol 7248. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29178-4_49
Download citation
DOI: https://doi.org/10.1007/978-3-642-29178-4_49
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29177-7
Online ISBN: 978-3-642-29178-4
eBook Packages: Computer ScienceComputer Science (R0)